This file lists the major changes made between the last released
version of Owl and Owl-current. While some of the changes listed here
may also be made to a stable branch, the complete lists of stable
branch changes are included with those branches and as errata for the
corresponding Owl releases only.
This is very far from an exhaustive list of changes. Small changes to
individual packages won't be mentioned here unless they fix a security
or a critical reliability problem. They are, however, mentioned in
change logs for the packages themselves.
Security fixes have a "Severity" specified for the issue(s) being fixed.
The three comma-separated metrics given after "Severity:" are: risk
impact (low, medium, or high), attack vector (local, remote, or
indirect), and whether the attack may be carried out at will (active) or
not (passive). Please note that the specified risk impact is just that,
it is not the overall severity, so other metrics are not factored into
it. For example, a "high" impact "local, passive" issue is generally of
lower overall severity than a "high" impact "remote, active" one - this
is left up to our users to consider given their specific circumstances.
Per our current conventions, a Denial of Service (DoS) vulnerability is
generally considered to have a "low" risk impact (even if it is a
"remote, active" one, which is to be considered separately as it may
make the vulnerability fairly critical under specific circumstances).
Some examples of "medium" impact vulnerabilities would be persistent DoS
(where the DoS effect does not go away with a (sub)system restart), data
loss, bugs enabling non-critical information leaks, cryptographic
signature forgeries, and/or sending of or accepting spoofed/forged
network traffic (where such behavior was unexpected), as long as they
would not directly allow for a "high" impact attack. Finally, a typical
"high" impact vulnerability would allow for privilege escalation such as
ability to execute code as another user ID than the attacker's (a
"local" attack) or without "legitimately" having such an ability (a
"remote" attack).
The metrics specified are generally those for a worst case scenario,
however in certain cases ranges such as "none to low" or/and "local to
remote" may be specified, referring to the defaults vs. a worst case yet
"legitimate" custom configuration. In some complicated cases, multiple
issues or attacks may be dealt with at once. When those differ in their
severity metrics, we use slashes to denote the possible combinations.
For example, "low/none to high, remote/local" means that we've dealt
with issue(s) or attack(s) that are "low, remote" and those that are
"none to high, local". In those tricky cases, we generally try to
clarify the specific issue(s) and their severities in the description.
Changes made between Owl 3.1 and Owl-current.
2015/01/28 Package: glibc
SECURITY FIX Severity: none to high, remote, active
Backported upstream's fix for a buffer overflow in gethostbyname*()
functions, which could be triggered via a crafted IP address argument.
Depending on the application that uses these functions, this
vulnerability could allow a local or a remote attacker to execute
arbitrary code. Due to the analysis by Qualys (referenced below), it is
known that the issue could be exploited remotely via Exim (which we do
not include in Owl) or locally via clockdiff or procmail if these are
installed SUID/SGID or with filesystem capabilities (not the case on
Owl). While there's no known security impact on Owl itself, Owl with
third-party software added (as many real-world installs have) may be
affected, with worst-case impact ranging up to a remote root compromise.
References:
http://www.openwall.com/lists/oss-security/2015/01/27/9
https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability
https://sourceware.org/bugzilla/show_bug.cgi?id=15014
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
2015/01/26 Package: libnss
SECURITY FIX Severity: none to medium, indirect, passive
Updated to 3.17.3. which includes a fix for "RSA PKCS#1 signature
verification forgery is possible due to too-permissive SignatureAlgorithm
parameter parsing" (CVE-2014-1568) since version 3.17.1. The only part
potentially affected by this in Owl is RPM since it is the only package
using NSS currently, although we do not use RPM's signature verification
for Owl's own packages (we use GnuPG-signed mtree files instead).
References:
https://bugzilla.mozilla.org/show_bug.cgi?id=1064636
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1568
2015/01/26 Package: libnspr
Updated to 4.10.7.
2015/01/04 Package: openssl
SECURITY FIX Severity: none to medium, remote, active
Updated to 1.0.0o, which fixes "Information leak in pretty printing
functions" (CVE-2014-3508), "Race condition in
ssl_parse_serverhello_tlsext" (CVE-2014-3509), "Session Ticket Memory
Leak" (CVE-2014-3567), and adds support for "SSL 3.0 Fallback
protection" to let applications mitigate POODLE (CVE-2014-3566).
References:
https://www.openssl.org/news/secadv_20140806.txt
https://www.openssl.org/news/secadv_20141015.txt
2015/01/04 Package: bash
Updated to 3.1 patchlevel 23.
2015/01/04 Package: help2man
New package: help2man, which creates simple man pages from the output of
programs. It currently generates the diff(1) man page during Owl build.
2014/12/28 Package: kernel
SECURITY FIX Severity: none to high, local, active
Updated to 2.6.18-400.el5.028stab117.2, which most importantly fixes a
local privilege escalation vulnerability on x86-64 (CVE-2014-9322).
References:
https://openvz.org/Download/kernel/rhel5/028stab117.2
http://www.openwall.com/lists/oss-security/2014/12/15/6
https://rhn.redhat.com/errata/RHSA-2014-2008.html
https://rhn.redhat.com/errata/RHSA-2014-1959.html
https://openvz.org/Download/kernel/rhel5/028stab116.1
https://rhn.redhat.com/errata/RHBA-2014-1196.html
https://rhn.redhat.com/errata/RHSA-2014-1143.html
https://rhn.redhat.com/errata/RHSA-2014-0926.html
2014/10/25 Package: tzdata
Updated to 2014i.
2014/09/25 -
2014/09/27 Package: bash
SECURITY FIX Severity: none to high, remote, active
Updated to 3.1 patchlevel 19 with additional patches by Florian Weimer
of Red Hat. This fixes vulnerabilities with and introduces security
hardening of function imports, which could in many setups be exploited
remotely.
References:
http://www.openwall.com/lists/oss-security/2014/09/24/10
http://www.openwall.com/lists/oss-security/2014/09/24/11
http://www.openwall.com/lists/oss-security/2014/09/24/40
http://www.openwall.com/lists/oss-security/2014/09/25/5
http://www.openwall.com/lists/oss-security/2014/09/25/13
http://www.openwall.com/lists/oss-security/2014/09/25/32
http://www.openwall.com/lists/oss-security/2014/09/26/2
http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187
2014/08/16 Package: strace
Updated to 4.9.
2014/07/12 Package: sqlite
Introduced a new package due to the new RPM requirements.
2014/07/12 Package: rpm
Updated to 4.11.2.
The payload compression method was changed from bzip2 to xz.
2014/07/12 Package: mpfr
Updated to 3.1.2 patch-level 8.
2014/07/12 Package: m4
Updated to 1.4.17.
2014/07/12 Package: libtool
Updated to 2.4.2.
2014/07/12 Package: libpopt
Updated to 1.16.
Introduced the libpopt library as an independent, separate package.
2014/07/12 Package: libnss
Introduced a new package due to the new RPM requirements.
2014/07/12 Package: libnspr
Introduced a new package due to the new RPM requirements.
2014/07/12 Package: libnet
Updated to 1.2-rc3.
2014/07/12 Package: libmpc
Updated to 1.0.2.
2014/07/12 Package: gmp
Updated to 6.0.0a.
2014/07/12 Package: gettext
Updated to 0.19.1.
2014/07/12 Package: gdbm
Updated to 1.11.
2014/07/12 Package: flex
Updated to 2.5.39.
2014/07/12 Package: file
Updated to 5.19.
2014/07/12 Package: coreutils
Updated to 8.22.
2014/07/12 Package: bison
Updated to 3.0.2.
2014/07/12 Package: automake
Updated to 1.14.
2014/07/12 Package: autoconf
Updated to 2.69.
$Owl: Owl/doc/CHANGES-current,v 1.14 2015/01/28 04:43:45 solar Exp $